Just like most auth processes, you pass in your app ID, and get back a "code." In a second "GET", you send that in for the access_token. You need to decrypt the result, which may be in HMAC. Use the SDK to manage these functions, as the other person recommended, and it will be easier.

"auth_signature_method" means the way in which the encrypted signature was signed. It's not the final access_token you can use to query the user's data on Facebook.